CVE-2023-36004
📋 TL;DR
This vulnerability allows attackers to spoof DPAPI (Data Protection API) calls on Windows systems, potentially enabling them to decrypt protected data without proper authorization. It affects Windows systems where DPAPI is used for credential and data protection. Attackers need local access or ability to execute code on the target system.
💻 Affected Systems
- Microsoft Windows
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Attackers could decrypt sensitive DPAPI-protected data including saved credentials, certificates, and application secrets, leading to credential theft and lateral movement within the network.
Likely Case
Local attackers or malware could extract saved credentials and sensitive data from compromised systems, enabling privilege escalation and persistence.
If Mitigated
With proper access controls and monitoring, impact is limited to systems already compromised by attackers with local access.
🎯 Exploit Status
Requires local access or ability to execute code on target system. No public exploit code available as of knowledge cutoff.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: November 2023 security updates (KB5032190 for Windows 11, KB5032192 for Windows 10, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36004
Restart Required: Yes
Instructions:
1. Apply November 2023 Windows security updates via Windows Update. 2. For enterprise: Deploy through WSUS or Microsoft Endpoint Configuration Manager. 3. Verify update installation with 'winver' command showing November 2023 updates.
🔧 Temporary Workarounds
Restrict local access
windowsLimit local user access to sensitive systems and implement least privilege principles
Monitor DPAPI usage
windowsEnable auditing for DPAPI calls and monitor for suspicious activity
auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable
🧯 If You Can't Patch
- Implement strict access controls and limit local administrative privileges
- Monitor for suspicious DPAPI usage and credential access attempts
🔍 How to Verify
Check if Vulnerable:
Check if November 2023 security updates are installed via 'winver' or 'systeminfo' commandCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify KB5032190 (Windows 11) or KB5032192 (Windows 10) or equivalent Server updates are installed📡 Detection & Monitoring
Log Indicators:
- Event ID 4663 for DPAPI access attempts
- Suspicious credential access patterns
- Multiple failed DPAPI decryption attempts
Network Indicators:
- Lateral movement following credential extraction
- Unusual authentication patterns from compromised systems
SIEM Query:
EventID=4663 AND ObjectType="DPAPI" | stats count by AccountName, ProcessName